State and local facilities automate, too

To properly handle patch deployment, administrators need a system of checks and balances, said Dan Ruesch, information security manager for the South Dakota Air National Guard.

The organization began using Microsoft's Systems Management Server to send patches to the approximately 600 workstations at its air base. That approach worked fine, but administrators had no way of verifying that a patch had been correctly installed.

"We needed a real-time look at computers on the network," instead of sending employees to do it manually, Ruesch said.

For that real-time view, the Air National Guard brought in Shavlik's HFNetChkPro 4.0. "If [Systems Management Server] missed a machine, we can use Shavlik as a check-and-balance system," Ruesch said.

HFNetChkPro can be set to automatically scan a wide range of Microsoft platforms — including Windows NT, Windows XP, Windows Server, Exchange and Outlook — and update machines with the necessary security patches.

City officials in Sioux Falls, S.D., averted a major network infection from a laptop stricken with the Blaster worm because its network administrator had deployed the proper patch using St. Bernard Software's UpdateExpert patch management system.

UpdateExpert "was critical to keeping our network secure," said Monte Watembach, the city government's network administrator. "Even though we have [Microsoft's Systems Management Server], it was too cumbersome to use." With St. Bernard's software, "we actually had the Blaster patch on [desktop computers] before Blaster hit."

One feature Update Expert doesn't support now but Watembach would like to see added is a better way to track remote users who haven't logged on for months.

"When a [remote] user logs into my domain, I would like to deploy all the requisite updates," said Watembach, who is responsible for patching about 900 workstations and servers.

He said he tests patches by deploying them to a small number of users, usually in the IT department. To determine how well a patch will work, it must be tested on the machines on which people are actually doing their work, he added.

Several years ago, officials for the city of Boulder, Colo., didn't apply patches. But when they moved from Windows 98 to Windows NT, 2000 and XP, patch management became more critical, said Allyn McMullin, senior PC specialist with the city's information technology department.

"Vulnerabilities are cropping up more often," McMullin said. To cope with that reality, officials set up an internal server that downloads updates from Microsoft's patch server. IT staffers schedule patch deployments via LANDesk Software's Patch Manager, which is a component of the company's Management Suite.

When news began surfacing about the Blaster worm last summer, Boulder's IT staff used LANDesk's tools to see if all of the city government's desktop computers had the patch. Most of the 1,200 workstations had been patched, but 300 hadn't been. With LANDesk, the IT department was able to patch all of the systems in a matter of hours, McMullin said.

Because LANDesk's product is a suite of tools, IT employees can do more than just manage patches, McMullin said. They can also manage desktops remotely and perform other software upgrades.